In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in Linux Kernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminates this vulnerability. Applying the patch 5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
A vulnerability was found in LinuxKernel up to 6.12.39/6.15.7 (Operating System) and classified as critical.Using CWE to declare the problem leads to CWE-476.A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.Impacted is availability.Upgrading to version 6.12.40 or 6.15.8 eliminatesthisvulnerability.Applying the patch5b02e397929e5b13b969ef1f8e43c7951e2864f5/67a167a6b8b45607bc34aa541d1c75097d18d460/60ada4fe644edaa6c2da97364184b0425e8aeaf5is able to eliminate thisproblem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggestedtobeupgrading tothe latest version.
In the Linux kernel, the followingvulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] incipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commitmadeit possible tocreate smc_sock asan INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET andAF_INET6 sk_family, whichconfusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),whichisanaddress of afunction in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
In the Linux kernel, the following vulnerability has been resolved:smc: Fix various oops due to inet_sock type confusion.syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() whilefreeing inet_sk(sk)->inet_opt.The address was freed multiple times even though it was read-only memory.cipso_v4_sock_setattr() did nothing wrong, and the root cause was typeconfusion.The cited commit made it possible to create smc_sock as an INET socket.The issue is that struct smc_sock does not have struct inet_sock as thefirst member but hijacks AF_INET and AF_INET6 sk_family, which confusesvarious places.In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(),which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */The same issue for another field was reported before. [2][3]At that time, an ugly hack was suggested [4], but it makes both INETand SMC code error-prone and hard to change.Also, yet another variant was fixed by a hacky commit 98d4435efcbf3( net/smc: prevent NULL pointer dereference in txopt_get ).Instead of papering over the root cause by such hacks, we should notallow non-INET socket to reuse the INET infra.Let s add inet_sock as the first member of smc_sock.[0]:kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955Modules linked in:CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPTTainted: [W]=WARNHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955sp : ffff8000a03a7730x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffffx17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14cx14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffffx11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600[---truncated---
